Certified Public Accountants (CPAs) are a common target for cybercriminals. Throughout 2012, we intercepted several campaigns directly targeting CPAs in an attempt to trick them into clicking on the malicious links found in the emails. Once they click on any of the links, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

Email message:Valued AICPA participant, We have received a notice of your potential participation in income tax return infringement on behalf of one of your customers. According to AICPA Bylaw Section # 700 your Certified Public Accountant status can be cancelled in case of the event of presenting of a improper or fraudulent income tax return on the member’s or a client’s behalf. Please be informed of the complaint below and provide explanation of this issue to it within 7 days. The waiver to submit explanation within this period would abide in revokation of your CPA license.

Upon execution, the sample also creates the following mutexes:LocalXMM000005D4SHIMLIB_LOG_MUTEXLocalXMM00000264LocalXMQ426FB97FLocalXMM000001D0

and the following Registry Keys:REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTCBA6D3F36REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTS9CC20790

Responding to the same IP (59.57.247.185) in the time of posting this analysis are also the following malicious domains:
moid.plsecurityday.plpleansantwille.comlabpr.comibertomoralles.comshopgreatvideonax.comeaglepointecondo.cozindt.netnaky.netsvictrorymedia.ruygsecured.ruromoviebabenki.rurobertokarlosskiy.suafricanbeat.netincinteractive.netlloydstsb-offshoren.comsessionid0147239047829578349578239077.pl

We’ve already seen the same name servers (NS1.AMISHSHOPPE.NET; NS2.AMISHSHOPPE.NET) used in the following previously profiled campaigns, indicating that all of these campaigns have been launched by the same malicious party.